topic Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address in Getting Data In

Do we have a function or way to determine network address provided we have ip address and subnet mask?

nabeel652 — Thu, 03 Aug 2023 20:13:52 GMT

Do we have a function or way to determine network address provided we have ip address and subnet mask?

For instance 10.3.3.28/24 ==> 10.3.3.0/24 as a simple example.

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

cpetterborg — Mon, 11 Jul 2016 01:33:32 GMT

Look at the cidrmatch functionality. The cidrmatch function for eval can be found here:

http://docs.splunk.com/Documentation/Splunk/6.0.8/SearchReference/CommonEvalFunctions

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

nabeel652 — Mon, 11 Jul 2016 02:21:33 GMT

Thanks. Well the problem is that:
We have two subnets in our lookup file.
10.2.2.0/24
10.2.0.0/16

Now if we don't provide subnetmask 10.2.2.25 can match to any of these. I need a Splunk function that is given 10.2.2.25/24 and returns 10.2.2.0/24
or
10.2.2.25/16 to reply with 10.2.0.0/16

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

mcantaloube — Tue, 29 Sep 2020 21:49:13 GMT

Hi, not found any built-in function, so back to network theory and maths..sorry it's ugly !

NET_id contains the IP
NET_mask contains the network mask
NET_net is the network deducted from IP & Netmask

***NET_id* NET_mask => NET_net**
10.140.229.2 255.255.255.0 => 10.140.229.0
10.140.85.10 255.255.252.0 => 10.140.84.0

[.. Search ...]
| stats values(VLAN_name) as VLAN_name values(NET_id) as NET_id values(NET_mask) as NET_mask by ansible_host VLAN_id | eval octet = split(NET_id, ".")
| eval rank = split("1,2,3,4", ",")
| eval octet_rank = mvzip(rank, octet)
| mvexpand octet_rank
| eval octet_rank_split = split(octet_rank, ",")
| eval rank = mvindex(octet_rank_split, 0)
| eval octet = mvindex(octet_rank_split, 1)
| eval power = mvrange(0,8)
| mvexpand power
| eval base2 = pow(2, power)
| eval mydiv = floor(octet / base2)
| eval octet_bin = mydiv % 2
| stats list(octet_bin) as octet_bin by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask, rank, octet
| eval octet_bin = mvjoin(octet_bin, "")
| sort limit=0 NET_id, rank
| stats list(octet_bin) as octet_bin_ip by ansible_host VLAN_id, VLAN_name, NET_mask, NET_id
| eval octet_bin_ip = mvjoin(octet_bin_ip, "")
| eval octet = split(NET_mask, ".")
| eval rank = split("1,2,3,4", ",")
| eval octet_rank = mvzip(rank, octet)
| mvexpand octet_rank
| eval octet_rank_split = split(octet_rank, ",")
| eval rank = mvindex(octet_rank_split, 0)
| eval octet = mvindex(octet_rank_split, 1)
| eval power = mvrange(0,8)
| mvexpand power
| eval base2 = pow(2, power)
| eval mydiv = floor(octet / base2)
| eval octet_bin = mydiv % 2
| stats list(octet_bin) as octet_bin by ansible_host VLAN_id, VLAN_name, NET_mask, NET_id, octet_bin_ip, rank, octet
| eval octet_bin = mvjoin(octet_bin, "")
| sort limit=0 NET_id, rank
| stats list(octet_bin) as octet_bin_mask by ansible_host VLAN_id, VLAN_name, NET_id,octet_bin_ip, NET_mask
| eval octet_bin_mask = mvjoin(octet_bin_mask, "")

| eval rank = split("1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 ", ",")
| eval octet_bit_ip = split(octet_bin_ip, "") | eval octet_bit_mask = split(octet_bin_mask, "")
| eval bit_rank = mvzip(rank, octet_bit_ip)
| eval bit_rank = mvzip(bit_rank, octet_bit_mask)
| mvexpand bit_rank

| eval bit_rank_split = split(bit_rank, ",")
| eval rank = mvindex(bit_rank_split, 0)
| eval bit_ip = mvindex(bit_rank_split, 1)

| eval bit_mask = mvindex(bit_rank_split, 2)
| eval bit_net=if(bit_mask == 1, bit_ip, bit_mask)
| fields + ansible_host VLAN_id VLAN_name NET_id NET_mask bit_net rank
| eval rank=rank-1| eval rank_oct=(rank)/8
| eval rank_oct2=rank-floor(rank_oct%8)*8
| eval oct_dec=pow(2,rank_oct2)*bit_net
| eval rank_oct=floor(rank_oct)+1
| stats sum(oct_dec) as oct_dec by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask, rank_oct
| stats list(oct_dec) as oct_dec by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask
| eval NET_net=mvjoin(oct_dec, ".")
| fields - oct_dec

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

Raghubansh — Sun, 09 Aug 2020 06:37:58 GMT

Hi Folks,

I have same query like is it possible that I can get the subnet mask and gateway for any IP address in splunksearch?

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

isoutamo — Sun, 09 Aug 2020 13:22:40 GMT

as there is no mandatory address for gw in subnet that information, You couldn't get it without that it's stored to your events.

Quite often GW's address is first or last usable ip on subnet, but that's mostly a best practises not mandatory.

r. Ismo

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

thambisetty — Sun, 09 Aug 2020 16:55:54 GMT

Can you verify question once.

Are you trying to get subnet/subnet mask for range of ips ( when you input first and last ip)?

Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol.

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

thambisetty — Sun, 09 Aug 2020 16:59:35 GMT

@nabeel652 You can do this with SPL easily.

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

gntani1981 — Thu, 17 Dec 2020 15:07:01 GMT

I had this same issue and eventually used a lookup table for decimal (0-255) to Binary conversion. I called my lookup table Decimal_To_Binary with fields Decimal/Binary. I used MyIPNet to hold the static IPv4/netmask you want to convert. In general, this will be your input field.

| eval MyIPNet="10.162.241.94/28"
| eval MyIP=mvindex(split(MyIPNet,"/"),0)
| eval MyNetMask=mvindex(split(MyIPNet,"/"),1)
| eval MyIPSplit=split(MyIP,".")
| eval IPPadding="00000000000000000000000000000000"
| eval Octet1=mvindex(MyIPSplit,0), Octet2=mvindex(MyIPSplit,1),Octet3=mvindex(MyIPSplit,2),Octet4=mvindex(MyIPSplit,3)
| lookup Decimal_To_Binary Decimal AS Octet1 OUTPUT Binary AS OutOctet1
| lookup Decimal_To_Binary Decimal AS Octet2 OUTPUT Binary AS OutOctet2
| lookup Decimal_To_Binary Decimal AS Octet3 OUTPUT Binary AS OutOctet3
| lookup Decimal_To_Binary Decimal AS Octet4 OUTPUT Binary AS OutOctet4
| eval BinaryIP=printf("%08d",OutOctet1)+printf("%08d",OutOctet2)+printf("%08d",OutOctet3)+printf("%08d",OutOctet4)
| eval SubnetBinary=substr(substr(BinaryIP, 1, MyNetMask).IPPadding, 1, 32)
| eval IPSubNet=tonumber(substr(SubnetBinary,1,8),2).".".tonumber(substr(SubnetBinary,9,8),2).".".tonumber(substr(SubnetBinary,17,8),2).".".tonumber(substr(SubnetBinary,25,8),2)."/".MyNetMask

Re: Providing IPAddress and Subnet Mask and getting corresponding Network Address

tfujita_splunk — Thu, 03 Aug 2023 19:54:30 GMT

For converting to network address from ip address/mask or prefix,
I added the following external command lookup to the App below.

Usage:

| makeresults
| eval ip="10.3.3.28/24"
| lookup local=t ipcalclookup Address as ip OUTPUT Network Prefix
| eval netaddr=Network."/".Prefix

Input Address can also be in the following format.
* ip/netmask: e.g. 192.0.2.17/255.255.255.240
* ip/prefix: e.g. 192.0.2.17/28
* ipv6/prefix: e.g. 2001:db8:1234::1/64

Numeral system macros for Splunk
https://splunkbase.splunk.com/app/6595